IETF Logo Mail Archive

Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication

Manav Bhatia <manav_bhatia06@yahoo.co.uk> Thu, 20 April 2006 03:13 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FWPbR-0004SR-Kf; Wed, 19 Apr 2006 23:13:09 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FWPbP-0004SG-Po for isis-wg@ietf.org; Wed, 19 Apr 2006 23:13:07 -0400
Received: from web25407.mail.ukl.yahoo.com ([217.12.10.141]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1FWPbO-000264-99 for isis-wg@ietf.org; Wed, 19 Apr 2006 23:13:07 -0400
Received: (qmail 56137 invoked by uid 60001); 20 Apr 2006 03:13:00 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.uk; h=Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=RuRrqMGlBV1tdXbsbyk7KIAGQ+Q78Fx0q/KjI92m+MIqtdrEh9adJJrDPyodm+9BMJQxRqbYGn9KN8d/3smL05sJ9CxtglXCOQbKFqPAI83qiiM4oRDmDv6wMGJkqEML9DM6BZO1gZ/PlFfWmFt5azzyal8JTHawmanMW3+Hg+c= ;
Message-ID: <20060420031300.56131.qmail@web25407.mail.ukl.yahoo.com>
Date: Thu, 20 Apr 2006 03:13:00 +0000
From: Manav Bhatia <manav_bhatia06@yahoo.co.uk>
Subject: Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication
To: tony.li@tony.li, Hannes Gredler <hannes@juniper.net>
In-Reply-To: <009801c663ee$0fb8bf90$4b7d14ac@tropos.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Score: 0.9 (/)
X-Scan-Signature: 827a2a57ca7ab0837847220f447e8d56
Cc: isis-wg@ietf.org
X-BeenThere: isis-wg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Manav Bhatia <manav_bhatia06@yahoo.co.uk>
List-Id: IETF IS-IS working group <isis-wg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isis-wg>
List-Post: <mailto:isis-wg@ietf.org>
List-Help: <mailto:isis-wg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=subscribe>
Errors-To: isis-wg-bounces@ietf.org

I would agree with Tony and i dont think advertising multiple instances of TLV 10 is required. OTOH, i see a potential problem with including multiple TLVs as that can lead to a simple Dos attack wherein the sender puts multiple TLVs and the receiving router gets overwhelmed processing each one of those. The idea of including multiple TLVs was discussed when we were writing this draft and it was rejected because of the reason stated above.
 
If you notice we send the Key ID in the TLV 10.  Doing this can help us during Key rollover wherein we can have multiple keys configured and the receiver only needs to verify the packet with the key associated with the given Key ID. Not doing this can be CPU intensive for the receiving router during the Key rollover when multiple keys are configured and random packets are sent in.
 
Cheers,
Manav


----- Original Message ----
From: Tony Li <tli@tropos.com>
To: Hannes Gredler <hannes@juniper.net>; tony.li@tony.li
Cc: isis-wg@ietf.org
Sent: Thursday, 20 April, 2006 1:45:54 AM
Subject: RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication


Hannes,

I'm of the opinion that key rollover and algorithm rollover do not
require actual additional protocol specification and that transmitting
multiple TLVs is not necessary.  For any form of rollover to work, a
receiver must be prepared to accept multiple different combinations of
password and algorithm.  It does not seem like a substantial effort for
the receiver to try all of the possibilities that it is configured for.

Given this, one way to do smooth rollover is to go around and configure
all nodes with the new password and/or algorithm.  Once that's completed
and in production, then nodes can be set to transmit the new password
and/or algorithm.

While 802.11's WEP is hardly a good example of this for security
purposes, most implementations provide a fine example of how the UI for
this would work: one key is used for transmit, while a list of keys is
accepted.

Regards,
Tony

P.s. Yes, I'm well aware that implementations do not currently support
this behavior and will have to change.  Including Juniper's.  Sorry.
;-) 


> -----Original Message-----
> From: Hannes Gredler [mailto:hannes@juniper.net] 
> Sent: Wednesday, April 19, 2006 1:02 PM
> To: tony.li@tony.li
> Cc: 'Sofia Ray'; isis-wg@ietf.org
> Subject: Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication
> 
> furthermore, it would be also time to think about authentication-type
> migration support. i.e. discuss about authentication-type 
> [simple->md5->sha]
> and key rollover schemes and nail down the necessary behaviour
> (multiple instances of TLV #10).
> 
> the prevailing method for both authentication-type and key rollover
> (= disabling authentication check during the transition window)
> is not really smooth.
> 
> /hannes
> 
> Tony Li wrote:
> > Sofia,
> > 
> > While I know of no substantive risks to the use of MD5 
> today as used in
> > 3567, history suggests that someday, there will be.  Thus, 
> having other
> > algorithms available is only prudent and I strongly support 
> that goal.
> > 
> > Regards,
> > Tony
> > 
> > 
> >>-----Original Message-----
> >>From: Sofia Ray [mailto:sofia.ray@lycos.com] 
> >>Sent: Wednesday, April 19, 2006 11:04 AM
> >>To: isis-wg@ietf.org
> >>Subject: Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication
> >>
> >>Manav,
> >>
> >>Whats wrong with the authentication scheme detailed in 3567?
> >>
> >>Yours,
> >>Sofia
> >>
> >>----- Original Message ----
> >>From: Manav Bhatia <manav_bhatia06@yahoo.co.uk>
> >>To: isis-wg@ietf.org
> >>Sent: Wednesday, 19 April, 2006 8:30:00 AM
> >>Subject: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication
> >>
> >>
> >>Hi,
> >>
> >>We have written a draft on extending ISIS to use HMAC-SHA 
> >>authentication. Would appreciate if we can get some feedback 
> >>from the WG. The mechanism proposed in the draft is backward 
> >>compatible and would work with the existing ISIS implementations.
> >>
> >>Cheers,
> >>Manav
> >>
> >>----- Forwarded Message ----
> >>From: Internet-Drafts@ietf.org
> >>To: i-d-announce@ietf.org
> >>Sent: Wednesday, April 19, 2006 4:20:01 AM
> >>Subject: I-D ACTION:draft-bhatia-manral-isis-hmac-sha-00.txt
> >>
> >>A New Internet-Draft is available from the on-line 
> >>Internet-Drafts directories.
> >>
> >>    Title        : IS-IS HMAC SHA Cryptographic Authentication
> >>    Author(s)    : M. Bhatia, V. Manral
> >>    Filename    : draft-bhatia-manral-isis-hmac-sha-00.txt
> >>    Pages        : 8
> >>    Date        : 2006-4-18
> >>
> >>This document proposes an extension to IS-IS [ISO] [RFC1195] 
> >>to allow the use of HMAC SHA authentication algorithm in 
> >>addition to the already documented authentication schemes 
> >>described in the base specification and RFC 3567.
> >>
> >>A URL for this Internet-Draft is:
> >>http://www.ietf.org/internet-drafts/draft-bhatia-manral-isis-h
> >>mac-sha-00.txt
> >>
> >>
> >>
> >>-- 
> >>_______________________________________________
> >>
> >>Search for businesses by name, location, or phone number.  
> >>-Lycos Yellow Pages
> >>
> >>http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.c
> >>om/default.asp?SRC=lycos10
> >>
> >>
> >>_______________________________________________
> >>Isis-wg mailing list
> >>Isis-wg@ietf.org
> >>https://www1.ietf.org/mailman/listinfo/isis-wg
> >>
> > 
> > 
> > 
> > 
> > _______________________________________________
> > Isis-wg mailing list
> > Isis-wg@ietf.org
> > https://www1.ietf.org/mailman/listinfo/isis-wg
> 



_______________________________________________
Isis-wg mailing list
Isis-wg@ietf.org
https://www1.ietf.org/mailman/listinfo/isis-wg

_______________________________________________
Isis-wg mailing list
Isis-wg@ietf.org
https://www1.ietf.org/mailman/listinfo/isis-wg

v2.23.0 | Report a Bug | By Email